Skip to content
All research

Summarized web edition

This page is the concise web copy of the full RAILS research paper. The complete whitepaper expands the analysis, source notes, implementation artifacts, and appendices for board, legal, security, and technical review.

Request the full whitepaper
WhitepaperProposed standard · RAILS v1.2

The RAILS Framework

A capability-without-custody architecture for safe, compliant, and responsible agentic AI in real estate.

A governance and technical framework for boards, MLSs, brokerages, professional associations, regulators, and technology vendors.

Daniel Foch, Shemeer Ahmed, Anza Malik 40 min read
Share Post LinkedIn Email
An architectural gateway separating protected real estate systems from an AI interface

The boundary

AI may receive capabilities. It must not receive custody.

The control

Policy, identity, and authorization remain outside the model.

The accountability

Licensed humans and approved platforms retain consequential authority.

Scope and legal notice

This is a governance and technical architecture proposal, not legal advice and not an adopted industry standard. Any implementation must be validated against the laws, professional rules, data agreements, consent obligations, and vendor contracts that apply in its jurisdiction.

Why boards must act now

Realtors already crossed the AI adoption threshold. Governance has not.

Boards are not deciding whether members will begin using AI. Members are already using it in production work, often through general-purpose tools that sit outside a board-defined identity, permission, retention, provenance, and audit layer.

82%

of surveyed U.S. NAR-member real estate professionals said they currently use AI.

68%

reported using AI daily or several times per week.

63%

named accuracy or reliability as a concern.

49%

named compliance or legal issues as a concern.

The RPR 2026 AI Adoption Survey also found that 92% use AI now or plan to, 71% identify time savings as its leading value, and 68% save at least one hour per week. The survey was self-reported by 225 U.S. NAR-member real estate professionals, so it should not be generalized as a census of every market. Read the full RPR survey .

Interactive evidence review · Q5–Q13

Adoption is broad, frequent, valuable—and already touching higher-risk work

Select any bar, point, segment, or response label to inspect its exact share and count. Question-level respondent totals vary from 196 to 223; multi-select questions do not sum to 100%.

Q5n=222 · multiple responses allowed

Types of AI tools agents have used

Writing tools (social posts, emails, descriptions): 77.93% (173 respondents). The category describes tool type, not the data entered into it.

Q7n=222 · multiple responses allowed

Where AI is already affecting the real estate workflow

RAILS groups the survey’s tasks by workflow family; the horizontal position is the exact reported share. The grouping is analytical, not an additional survey measure.

Content

Communication

Market & property

Pipeline

No active use

Other

Writing listing descriptions: 68.47% (152 respondents).

Q6n=223

Frequency of AI use for real estate tasks

Q6: Frequency of AI use for real estate tasksDonut chart of survey responses. Select a response label for its exact percentage and count.68.16%daily / several weekly

Daily: 81 respondents. Daily plus several-times-weekly use totals 68.16%.

Q8n=219

Average time saved each week

Q8: Average time saved each weekDonut chart of survey responses. Select a response label for its exact percentage and count.67.58%save 1+ hour weekly

None: 28 respondents. The source report rounds this combined result to 68%.

Q9n=223

Confidence using AI-generated content with clients

Stacked confidence distribution. Select a segment for its exact response.

Somewhat confident: 80 respondents. Confident plus very confident totals 47.53%; the remaining 52.46% were somewhat or not confident.

Q10n=217 · multiple responses allowed

Where agents feel AI delivers value

Saving time: 70.97% (154 respondents). Productivity dominates, but almost one-third already cite pricing and market analysis.

Q11n=219 · multiple responses allowed

Concerns about using AI in real estate

Accuracy of outputs: 63.47% (139 respondents). Accuracy, compliance, and market-data interpretation are governance problems, not prompt-writing problems.

Q12n=196 · multiple responses allowed

Capabilities agents want RPR to expand

More CMA enhancements: 66.84% (131 respondents). The two leading requests move directly toward pricing and market interpretation.

Q13n=220

Biggest barrier to using AI more regularly

I do not have any major barriers: 33.64% (74 respondents). No major barriers is the largest single response, but it is a 33.64% plurality—not a majority.

Governance signal: only 3.64% selected uncertainty about what is allowed or safe as their single biggest barrier, while 33.64% reported no major barrier and 68.16% used AI daily or several times per week. The survey does not measure board oversight, data pasted into tools, account settings, retention, model training, or live IDX access. Those are risks requiring separate controls and audit—not facts that can be inferred as measured prevalence.

The survey does not directly measure board oversight. The governance conclusion is an inference: when adoption is already embedded in member workflows, the practical choice is no longer AI versus no AI. It is governed, permissioned paths versus unmanaged workarounds with weaker visibility and fewer shared controls. What members can already delegate is measurable: HomieBench v3 benchmarks eight frontier models across 100 supervised realtor workflows.

The detailed answers sharpen that inference. In Q5, 38.74% reported using market analysis or pricing tools and 22.52% reported AI CMA tools. In Q7, 30.63% reported analyzing market trends and 24.32% reported running CMAs or pricing conversations. One qualitative respondent also said they use AI heavily when processing trends from MLS data. The survey does not establish how common it is for members to paste MLS, client, or transaction data into a model, but it demonstrates enough high-stakes use to make data-flow controls urgent.

Training, retrieval, and live data are different mechanisms.

A realtor entering information into a consumer AI service can create confidentiality, retention, and model-improvement risk depending on the product and account settings. It does not give the base model a real-time private IDX connection, and it does not explain every current market answer. OpenAI says individual-service content may be used to improve models unless the user opts out, while its business products and API are excluded by default; Anthropic likewise distinguishes consumer choices from commercial products. Up-to-date answers may instead come from web search, a connected tool, a public webpage, or context supplied in the current conversation. See the official data-use explanations from OpenAI and Anthropic , plus the current-search documentation for ChatGPT and Claude .

Adoption is ahead of governance. Waiting does not preserve the status quo; it cedes the control surface.

Executive briefing

Abstract

Agentic AI is becoming an interface through which consumers and professionals discover information, compare options, make decisions, and initiate action. In real estate, the interface that captures the question also captures commercially valuable intent: preferences, search refinements, objections, timelines, affordability constraints, and next steps.

Boards and MLSs therefore face two risks at once. Blanket prohibition can push members toward ungoverned consumer tools and workarounds. Unrestricted access can transfer protected listing, client, and transaction data into systems that were not designed to govern it. Neither extreme is durable.

The AI may receive capabilities. It must not receive custody.

RAILS—the proposed Realtor Agentic Interoperability Layer Standard—keeps protected data in its proper system of record while exposing narrowly scoped, identity-bound, purpose-bound, auditable capabilities. Models may search, summarize, prepare, validate, or request an action. They do not receive feed credentials, become the CRM, persist a shadow listing database, create the authoritative contract in an unapproved sandbox, or apply a signature.

The result is a model-agnostic architecture that combines zero trust, least privilege, purpose limitation, split-channel secure rendering, deterministic computation, human approval for consequential actions, immutable audit events, and capability-level vendor certification.

1Strategy

The risk is interface displacement—not simply data access.

Organized real estate was built around cooperation: competing professionals shared inventory under common rules for attribution, access, display, accountability, and data quality. That cooperative infrastructure also created an information advantage. AI and open distribution are reducing the marginal cost of basic access and interpretation.

Figure 1

Where professional value moves

Historic value stack

Access↓ lower marginal value
Interpretation↓ lower marginal value
Negotiation
Execution

Durable professional value

Fiduciary alignment
Judgement
Risk ownership
Service
Compliant execution
AI makes access and basic interpretation cheaper. It increases the relative value of accountable human judgement and execution; it does not erase them.

The professional does not disappear when information becomes cheaper. The professional’s comparative advantage moves toward fiduciary alignment, judgement under uncertainty, negotiation, risk ownership, service coordination, and accountable execution. The board’s advantage changes in parallel: from information scarcity toward identity, permission, provenance, quality, interoperability, auditability, and revocation.

The market is already showing this shift. In October 2025, Zillow and OpenAI launched a conversational listing experience inside ChatGPT. Zillow says it controls the rendered experience, does not send OpenAI a raw MLS feed, and preserves MLS attribution and field controls. That architecture is a live example of a capability being made available without transferring feed custody. See the primary announcements from Zillow and Zillow’s industry explanation .

In June 2026, HouseCanary described a national expansion of Google’s mobile home-discovery program using listings from participating MLSs with broker and agent attribution. The announcement is evidence of real-estate discovery moving into a horizontal intent layer, although it should not be read as proof of any architecture beyond what the publisher describes. See the HouseCanary announcement .

Tool-connected AI is also becoming portable. OpenAI’s Apps SDK is built on the Model Context Protocol; Anthropic describes MCP as an open standard for connecting AI systems to external tools and data. These facts do not prove that every portal will integrate with every model. They do establish the interface pattern: natural-language request, controlled tool call, external system, structured result, and rendered experience. See OpenAI and Anthropic .

Figure 2

The board’s strategic choice

Platforms participatePlatforms bypass
Blanket restriction

Controlled stagnation

Restrictions hold, but useful member workflows remain underdeveloped.

Highest strategic risk

Interface displacement

Members adopt workarounds while external platforms capture intent and workflow.

Governed access
Preferred path

Governed innovation

Certified tools improve member capability while boards retain policy control.

Partial alignment

Approved paths exist, but external incentives still require active oversight.

This is a qualitative decision matrix, not a quantified payoff model. The external platform response is uncertain; the governance choice is not.

The choice is not “AI or no AI.” It is whether adoption happens inside a governable perimeter or outside one. Governed access creates new diligence and enforcement work, but it also gives boards a path to set requirements, certify capabilities, monitor use, revoke access, and keep professional accountability visible.

2Boundary

Capability, not custody

Custody exists when a model provider, agentic harness, or vendor application can persist, redistribute, train on, broadly index, or become an alternate source of truth for protected data. Capability exists when an authenticated actor can request one defined business action through a controlled service with bounded input, output, purpose, retention, and side effects.

Figure 3

Capability crosses the boundary. Custody does not.

Systems of record

CRM

Client and consent records

MLS / IDX / VOW / DDF

Listing and market data

Transaction platform

Authoritative documents

Policy & capability gateway

  • Identity + purpose
  • Field minimization
  • Rate + scope limits
  • Approval + audit

Agentic interface

Receives a bounded result, opaque reference, secure view, or approved action status—not raw feeds, signing keys, or authoritative custody.

The policy engine sits outside the model. The model may propose a tool call; it cannot grant itself permission.

Good capability design

  • listings.search_display
  • cma.prepare
  • market_stats.calculate
  • crm.task_create
  • transaction.validate
  • transaction.dispatch_approved

Unsafe generic access

  • run_sql
  • download_feed
  • export_all_contacts
  • read_any_record
  • sign_document
  • unrestricted_browser

Every capability should declare its eligible actors, allowed purpose codes, data classes, result ceilings, risk tier, human approval requirement, retention class, audit events, failure behaviour, and revocation path. Credentials remain at the gateway or system of record; they never enter model context.

  • The model is never the system of record.
  • Protected data is purpose-bound and minimized.
  • Credentials and signing keys never enter model context.
  • Deterministic services calculate and validate where correctness matters.
  • Consequential actions remain attributable to an authorized human.
  • Every access is observable, revocable, and auditable.
  • Interfaces remain model-agnostic to reduce platform lock-in.
  • Human-rights, privacy, and professional duties are enforced by design.
3Data governance

Three protected data domains, three proper systems of record

A workable policy must stop treating “real-estate data” as a single class. Listing, client, and transaction data carry different permissions, risks, and authoritative systems. RAILS applies the same boundary to all three while preserving those differences.

01

Consumer and client data

Identity, contact, finances, motivations, search preferences, consent, notes, and communications.

System of record
Approved CRM or brokerage business system.
Permit
Minimum fields for a declared task; pseudonymous references; scoped task, note, or draft creation.
Prohibit
Database copies in prompts or memory; unrestricted search; cross-tenant access; training or feedback use.
02

Listing and market data

Active and historical listings, media, remarks, sold data, showing data, statistics, and display instructions.

System of record
Board/MLS source and approved IDX, VOW, DDF, RESO-aligned, or participant application.
Permit
Permissioned search, secure rendering, deterministic CMA/statistics, and opaque report references.
Prohibit
Raw feed transfer, generic SQL, bulk extraction, confidential-field leakage, shadow indexes, or unauthorized scraping.
03

Transaction and contract data

Agreements, offers, amendments, disclosures, signatures, dates, review records, and correspondence.

System of record
Approved forms, transaction-management, document-management, compliance, or e-signature platform.
Permit
Form selection, proposed fields, validation, exact-version review, and approved platform dispatch.
Prohibit
Authoritative documents in an AI sandbox; autonomous signature or delivery; post-approval mutation.

Split-channel secure rendering

Protected listing detail does not always need to enter the model’s natural-language context. The model can receive a count, an opaque widget reference, policy metadata, and a secure view URL. The user interface then retrieves the authorized listing component directly from the IDX, VOW, DDF, brokerage, or board-controlled origin. The display channel and the model channel remain separate.

This pattern is compatible with existing permission-based distribution models. CREA describes REALTOR.ca DDF® as a managed, permission-based service in which broker owners control how listing content is shared. RESO publishes current Web API and Data Dictionary specifications that can provide common vocabulary for capability schemas. See CREA DDF® and RESO specifications .

Figure 6

Prepare → review → approve → commit

01

Prepare

AI proposes structured fields

02

Render

Approved platform builds exact version

03

Validate

Rules, dates and required fields

04

Review

Licensed human sees immutable artifact

05

Approve

Approval binds to document hash

06

Commit

Platform dispatches and archives

If the artifact changes after review, the hash changes and the approval becomes invalid. AI never holds the signing credential.
4Technical design

A trust architecture around the model—not inside it

RAILS separates probabilistic interpretation from identity, authorization, calculation, recordkeeping, and binding execution. A model may infer what a user is trying to achieve; it does not decide whether the user is entitled to achieve it.

Figure 4

RAILS reference architecture

01

Experience

Professional workspace, consumer portal, mobile app

02

Orchestration

Planning, model routing, task state, tool selection

03

Policy & identity

OIDC/OAuth, MFA, roles, attributes, purpose, consent

04

Capability gateway

Fixed schemas, field filters, limits, approval gates

05

Systems of record

Listing, CRM, forms, transaction, document and signature platforms

06

Audit, provenance & incident

Trace IDs, hashes, policy versions, anomaly detection, revocation

RAILS separates probabilistic planning from deterministic authorization, execution, and recordkeeping. Audit spans every plane.

The policy and identity plane evaluates the subject, action, resource, data class, purpose, consent, jurisdiction, time, and risk tier. The capability gateway then asks the authoritative application to perform the action. The default response is the minimum sufficient projection—not the entire underlying resource.

Conceptual authorizationillustrative
allow = policy(
  subject,
  action,
  resource,
  data_class,
  purpose,
  consent,
  jurisdiction,
  time,
  risk_tier
)

result = minimize(authoritative_data, purpose, role, consent, policy)

This architecture follows the same direction as zero-trust systems: no implicit trust based on location or ownership, explicit authentication and authorization, and policy focused on users, services, and resources. NIST SP 800-207A further describes granular application-level policy enforcement through gateways and service identities. See NIST SP 800-207 and NIST SP 800-207A .

5Controlled listing-data execution

The coding agent may change the IDX website. The IDX website must control the live data.

Realtors and brokerages already use authorized IDX websites and applications to present listing information under applicable agreements, board rules, display requirements, and participant control. Coding agents can also modify website code. RAILS combines those facts without creating a new raw-data entitlement: the approved IDX application remains the only runtime permitted to hold credentials, query live listing data, enforce field and display rules, and render the result.

NAR’s current IDX policy describes authorized display through participant-controlled websites, mobile apps, and other approved mechanisms, requires the participant to control how listings are displayed, and states that MLS database access may not be given to an unauthorized person or entity. See NAR IDX Policy Statement 7.58 . In Canada, CREA describes DDF® as a permission-based distribution service and a Member Website Feed for listing display on a member-controlled website; see REALTOR.ca DDF® .

Figure 5

The controlled IDX website boundary

Board / MLS source

Listing data, credentials, field permissions, refresh, attribution, and distribution rules remain protected.

Approved IDX website / application

Live query

Executes server-side

Policy

Applies display rules

Render

Returns coded outcome

Consumer or realtor page

Buyer search, neighbourhood page, property experience, or deterministic home evaluation with current permitted data.

Coding agent

Edits templates, components, schemas, tests, mock fixtures, and approved query definitions. It does not receive feed credentials, query the live database, or ingest the raw IDX payload.

Code boundary
The coding agent changes the experience. The approved IDX application controls the live data, query execution, display rules, and audit trail.

The coding agent changes the experience. The approved IDX application controls the data.

The model may help create a custom buyer-search page, neighbourhood experience, listing comparison, property page, or deterministic home-evaluation workflow. It can edit React components, templates, schemas, tests, mock fixtures, explanatory copy, and approved parameterized query definitions. It must not receive the raw feed, reuse feed credentials, query the live database, create a shadow index, or copy bulk listing data into model memory.

Permitted development plane

Documented schemas, approved SDKs, redacted fixtures, mock listing records, component code, query definitions, validation, display tests, and deployment review.

Protected runtime plane

Feed credentials, live IDX payloads, confidential fields, database access, refresh, attribution, field entitlements, rate limits, consumer audit, and production queries.

Coded buyer-search outcome

The agent builds the page and constrained filters. The IDX server validates the query, executes it live, and renders current permitted listings.

Coded home-evaluation outcome

The agent builds the intake and explanation. Approved services retrieve permitted inputs and run deterministic calculations, with provenance and licensed review.

Approved IDX page contractillustrative
capability: idx.page.render
actor: participant_controlled_website
agent_visibility: [schema, mock_fixture, query_definition, rendered_metadata]
agent_prohibited: [feed_credential, live_database, raw_payload, bulk_export]
runtime:
  execute_query: approved_idx_application
  enforce: [field_permissions, attribution, freshness, display_rules, rate_limits]
output:
  returns: [rendered_page_ref, result_count, data_as_of, provenance]
deployment:
  tests_required: [query_bounds, prohibited_filters, attribution, stale_data, extraction]
  human_approval: required

RESO notes that its Web API can execute live queries for immediate results in web applications and defines an IDX payload as the structured fields needed for display on an IDX website. RAILS places that live query and payload handling inside the authorized application boundary—not inside model context. See the RESO Web API overview .

  • The website or approved application—not the model—is the data recipient and runtime.
  • The coding agent receives schemas, fixtures, and opaque result references, not feed credentials.
  • Live queries execute server-side under participant identity, purpose, and policy.
  • Rendered pages preserve attribution, freshness, filtering, display, and access requirements.
  • Every deployed code or query-definition change is tested, reviewed, versioned, and reversible.
  • Boards can audit and revoke the application capability without granting access to the model.
6Agentic workflows

A Realtor Agent Capability Catalogue for showings, CRM follow-up, social media, and conversations

RAILS is not only a listing-search architecture. The same capability-without-custody boundary applies to the repetitive workflows that realtor tools are beginning to automate. Each workflow needs a named action, authorized actor, purpose, minimum data, deterministic checks, human boundary, audit event, and revocation path.

Showing coordination

Read permissioned availability; request, reschedule, or cancel; reconcile calendars; securely render instructions; record every decision.

CRM follow-up

Create tasks, notes, appointments, and bounded stage changes in Follow Up Boss, HighLevel, Lofty, BoldTrail, or another approved CRM.

Social production

Transform approved source material, verify facts and rights, obtain human approval, publish through official APIs, and store post provenance.

DM and conversation handoff

Respond within channel rules, capture explicit lead information, stop on opt-out or ambiguity, and transfer consequential advice to a realtor.

AI showing booking for Zillow, ShowingTime, BrokerBay, and Touchbase

Showing coordination is a high-value candidate for a board-defined API profile because the workflow crosses listing permissions, realtor identity, buyer context, calendars, seller instructions, appointment status, lockbox information, and feedback. Zillow’s Real-Time Touring currently uses ShowingTime availability and can synchronize booking changes between the Zillow Premier Agent experience and ShowingTime. See Zillow Real-Time Touring . ShowingTime has also described real-time availability for broker and agent websites through an API; see the ShowingTime announcement .

BrokerBay and Touchbase are important showing-management systems in Canadian and North American markets. Their public sites describe appointment scheduling, confirmations, availability, instructions, feedback, and brokerage/board workflows, but a consistently documented self-serve developer surface is not evident for every use case. Boards and vendors should expose permissioned capabilities rather than forcing innovators to infer access from the user interface. See BrokerBay and Touchbase showing workflows .

In the absence of a supported interface, some teams experiment with agentic browser use through development harnesses. That workaround can inherit a realtor’s broad session, break on interface changes, mishandle MFA, duplicate appointments, expose confidential showing instructions, or violate platform terms. Browser automation may be useful for a supervised prototype, but it should not become the industry’s default showing control plane.

Showing capability profileillustrative
profile: rails/1.0
capability: showing.request_create
eligible_roles: [licensed_realtor, authorized_assistant]
required_scopes: [showing:availability_read, showing:request_create]
input:
  listing_ref: opaque
  requested_slots_max: 3
  buyer_context_ref: crm-scoped
  idempotency_key: required
policy:
  listing_status_current: required
  calendar_conflict_check: required
  agency_and_consent_state: required
output:
  returns: [request_ref, status, expiry, secure_instruction_ref]
  model_visibility: no_lockbox_or_confidential_instructions
human_review: required_on_exception
audit: append_only
revocation: immediate
  • showing.availability_read
  • showing.request_create
  • showing.request_reschedule
  • showing.request_cancel
  • showing.instructions_render_secure
  • showing.feedback_submit

AI Follow Up Boss, AI GoHighLevel, AI Lofty CRM, AI kvCORE / BoldTrail, Sierra Interactive, CINC, Real Geeks, BoomTown, Wise Agent, and Top Producer

Search demand is clustering around specific realtor tools, but the governance unit should remain the capability. The 84-system integration directory maps this landscape with documented access status for every system. Follow Up Boss documents a REST API and signed webhooks. HighLevel exposes contacts, conversations, calendars, opportunities, payments, and a broad webhook catalogue. Lofty documents developer access to leads, listings, transactions, communications, and AI features. BoldTrail is the current ecosystem name associated with kvCORE. Sierra Interactive, CINC, Real Geeks, BoomTown, Wise Agent, Top Producer, HubSpot, Salesforce, and other CRMs vary in partner access, object coverage, and commercial terms.

RAILS should make those differences explicit while preserving common actions: crm.person_match, crm.note_create, crm.task_create, crm.appointment_create, crm.stage_propose, and crm.opt_out_record. See the developer materials for Follow Up Boss , HighLevel , and Lofty .

AI social media for realtors: OpusClip, SumoClip, Higgsfield, Zernio, and ManyChat

A governed social agent can transform approved source material with AI clipping, create disclosed synthetic assets or presenter variants, obtain exact-artifact human approval, publish through official platform APIs, manage permitted comment and DM workflows, and write qualified leads back to the CRM. It should not scrape social dashboards, invent listing facts, reuse media without rights, impersonate a realtor, or continue a conversation outside platform and consent rules.

The follow-up Homies Research paper, The Real Estate Social Media AI Agent Stack, covers OpusClip, SumoClip, Supo, Higgsfield AI clones, the Zernio API, ManyChat, CRM integration, cost, measurement, and human-review controls in detail.

7Privacy

“We do not train on your data” is not a retention policy

A model request necessarily processes some input during inference. “No data in the model” is therefore useful shorthand but not an enforceable specification. The policy must enumerate every place protected information may persist.

01

Training and fine-tuning

02

Provider abuse-monitoring logs

03

Conversation history

04

Model memory

05

Assistant or thread state

06

Files and vector stores

07

Prompt caches

08

Tracing and observability

09

Tool, connector, browser, and subprocessor logs

A defensible vendor matrix identifies retention by endpoint and feature, training and feedback status, memory defaults, file lifecycle, cache behaviour, trace redaction, human-review exposure, subprocessors, residency, deletion verification, encryption, and incident obligations. Consumer accounts should not be used for protected workflows.

In Canada, organizations subject to PIPEDA must address accountability, identified purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, access, and challenge rights. Provincial law and sector-specific rules may also apply. See the Office of the Privacy Commissioner of Canada .

The proposed rule is precise: protected real-estate data may not be used for training, fine-tuning, model improvement, feedback, persistent memory, reusable retrieval indexes, model-managed files, or long-lived application state unless every party with the legal authority to permit that use has done so. Transient processing must be minimized, purpose-bound, encrypted, contractually protected, and subject to the shortest available retention.

8Security

Agentic systems expand the attack surface because they can act

Traditional application security remains necessary, but an agent adds instruction interpretation, tool selection, workflow state, and cross-system action. Controls must assume that retrieved content can be hostile and that a fluent model output can still be wrong or manipulative.

Agentic AI threats and required real estate controls
ThreatReal-estate failure modeRequired controls
Prompt injectionMalicious instructions in remarks, CRM notes, email, documents, or webpages.Treat retrieved content as data; isolate instructions; external policy engine; fixed output schemas.
Tool misuseA legitimate capability is called with dangerous parameters, frequency, or scale.Server-side validation, result ceilings, query budgets, rate limits, read/write separation, confirmation.
Identity and privilege abuseA user, model, or connector exceeds its role, tenant, purpose, or jurisdiction.Short-lived tokens, audience restriction, per-tool scopes, tenant isolation, step-up authentication.
Supply-chain compromiseA tool, MCP server, package, or vendor integration changes or is subverted.Approved registry, pinned versions, signed manifests, SBOM/AIBOM, monitoring, emergency revocation.
Unexpected code executionA production agent obtains shell, filesystem, or unrestricted network access.No production shell, sandboxed execution, egress allowlists, ephemeral compute, reviewed deployment paths.
Memory and context poisoningFalse or hostile state is stored and reused as if authoritative.No protected-workflow long-term memory; authoritative records; signed provenance; expiry and reconciliation.
Human trust exploitationA plausible explanation is mistaken for legal, valuation, or compliance authority.Source and freshness display, uncertainty, review checklists, and friction for consequential actions.

The OWASP Top 10 for Agentic Applications 2026 provides a useful cross-industry baseline. NIST’s voluntary Generative AI Profile organizes risk work around governance, mapping, measurement, and management. RAILS translates those foundations into real-estate-specific data and action boundaries; it does not replace either framework.

Audit events should be append-only and include trace ID, actor, tenant, capability, purpose, risk tier, resource reference, request/response hashes, policy version, authorization result, approval reference, outcome, and retention class. Raw protected payloads should not be logged by default.

9Reliability

Models may explain. Authoritative systems must calculate and verify.

A model can help a professional reason about a result, but it should not free-form a CMA, filing deadline, disclosure decision, binding form, or protected-field determination. Deterministic services should calculate comparable filters, distances, date windows, prices, adjustments, mortgage figures, taxes, deadlines, required fields, signature completeness, and document hashes.

Minimum provenance envelope
Source
Authoritative system and record reference
Time
Retrieved at and data-as-of timestamps
Permission
Actor, tenant, purpose, and field context
Versions
Policy, tool, calculation, and schema
Method
Material assumptions and result limits
Review
Human-review requirement and approval ID
Provenance responseillustrative
{
  "result_ref": "cma_01J...",
  "source": "approved-vow-service",
  "retrieved_at": "2026-07-14T14:21:08Z",
  "data_as_of": "2026-07-14T14:19:55Z",
  "policy_version": "board-agentic-policy-1.2",
  "tool_version": "cma-service-3.4.1",
  "calculation_version": "adjustments-2.0",
  "model_visibility": "metadata_only",
  "human_review_required": true
}
10Consumer protection

Objective criteria, explainable trade-offs, and anti-steering by design

Agentic interfaces can amplify discrimination when they accept protected-class preferences, infer them from proxies, or translate vague language into demographic steering. The design rule is consistent even where specific protected grounds differ: do not accept, infer, optimize, or conceal protected-class criteria.

Unsafe request

“Find me a family neighbourhood without immigrants.”

Required transformation

Reject the protected-class criterion. Offer objective alternatives such as budget, commute, property type, accessibility, lot size, parks, transit, or other legally appropriate housing attributes.

  • Maintain prohibited-feature and proxy-feature catalogues.
  • Log the objective criteria that include or exclude each result.
  • Explain trade-offs rather than rank communities as good or bad.
  • Test recommendations and ad delivery for disparate patterns.
  • Escalate ambiguous requests to an authorized human.
  • Apply the specific law and professional rule of each jurisdiction.

Ontario’s Human Rights Code protects equal treatment in buying, selling, and renting housing on Code-protected grounds. In the United States, HUD guidance identifies risks including denying housing information, differential terms, and steering through digital advertising. See the Ontario Human Rights Commission and HUD’s digital-platform guidance . Implementers must verify current local law rather than reuse either list as a universal rule.

11Operating model

Certify capabilities—not vendors in the abstract

A vendor may be suitable for secure listing rendering and unsuitable for transaction dispatch. A brokerage tool may be approved to create a CRM task and prohibited from bulk export. Certification should therefore attach to a capability, data class, actor, purpose, and risk tier—not to a logo.

RAILS capability risk tiers
TierClassExamplesApproval boundary
0ProhibitedRaw-feed transfer, training on protected data, autonomous signatures, cross-tenant accessNone
1Read and navigatePublic/permissioned search, source attribution, secure renderingReview before reliance
2Authenticated analysisVOW search, CMA preparation, market statistics, deterministic calculationsHuman review before sharing
3Workflow write-backCRM notes, tasks, drafts, scheduling, bounded internal updatesConfirm external communication
4Transaction preparationForm selection, field population, clause proposal, validationLicensed-human review required
5Binding or external actionSend for signature, deliver an offer/notice, release confidential informationStep-up auth + exact-version approval

Figure 8

Higher capability buys a heavier human gate

0

Prohibited

No path to approval

Raw-feed transfer, training on protected data, autonomous signatures

1

Read and navigate

Review before reliance

Permissioned search, attribution, secure rendering

2

Authenticated analysis

Human review before sharing

VOW search, CMA preparation, deterministic statistics

3

Workflow write-back

Confirm external communication

CRM notes, tasks, drafts, bounded internal updates

4

Transaction preparation

Licensed-human review required

Form selection, field population, clause proposal

5

Binding or external action

Step-up auth + exact-version approval

Send for signature, deliver an offer, release confidential information

Each step up the capability ladder narrows the bar and strengthens the approval boundary. Tier 5 actions never execute without step-up authentication and approval bound to the exact document version.

Evidence should include architecture and data-flow diagrams, a field-level data inventory, model and subprocessor lists, retention matrices, training-use commitments, tenant-isolation tests, OAuth scopes, tool schemas, red-team results, fair-housing or human-rights testing, approval design, audit-event catalogues, incident response, business continuity, kill-switch procedures, deletion evidence, and software/AI bills of materials.

From feed governance to capability infrastructure

The same institutions that created permissioned distribution can expose controlled search, valuation support, statistics, geographic intelligence, rendering, compliance validation, attribution, and provenance endpoints. The strategic product is no longer only a feed. It is a governed capability platform that lets new interfaces operate on board-defined terms.

The model is not the accountable actor.

A model cannot hold a licence, professional insurance, a fiduciary duty, or disciplinary responsibility. The registrant, brokerage, board, and vendor retain the obligations their roles create.

12Adoption

A one-year path from policy inventory to transaction preparation

The safest adoption path increases capability only after the preceding control layer has been demonstrated. Boards should begin with inventory and a narrow read-only path, not a high-risk transaction automation showcase.

  1. 0–90 daysPhase 1

    Policy and inventory

    Map systems and data classes; identify shadow AI; define prohibited uses; create legal, privacy, security, technical, and member governance.

  2. 90–180 daysPhase 2

    Read-only pilot

    Certify a narrow search and secure-rendering path; test injection, bulk extraction, attribution, freshness, field permissions, and revocation.

  3. 180–270 daysPhase 3

    Analytics and CRM

    Add deterministic CMA/statistics and purpose-bound CRM tools; implement shared audit events and privacy-impact review.

  4. 270–365 daysPhase 4

    Transaction preparation

    Integrate approved forms platforms; bind human approval to immutable document versions; keep dispatch platform-side.

  5. Year 2Phase 5

    Standards and scale

    Publish an Agentic Access Profile, align schemas with RESO concepts, support multiple vendors, and operate red-team and incident-sharing programs.

Keeping the human in the loop: safe integration in one workflow

The tier progression stays abstract until it is applied to a single consequential workflow. Take the one members care about most: writing an offer.

In the first phase, the AI writes the offer inside a supervised harness, and the realtor does everything else: uploads the document into the approved platform, reviews it, and completes the signing flow themselves. The model’s autonomy ends at the draft. Review is enforced by the physics of the workflow, because nothing reaches a client that the realtor did not personally move and sign.

In the second phase, the AI writes the offer, uploads it, and routes it for signature. One rule changes: the signing order. The document goes to the realtor before the client. By signing first, the realtor legally binds themselves to the AI-prepared instrument before the client ever sees it. Accountability stops being a procedural checkbox and becomes a property of the instrument itself.

Figure 7

The human stays in the loop. The loop moves earlier.

Phase 1AI autonomy: Drafting only

AI drafts. The realtor executes everything.

AI

AI writes the offer

Draft prepared from approved forms and validated fields

Human

Realtor uploads it

The licensed human moves the document into the platform

Human

Realtor signs

Review happens with hands on the instrument

Human

Client signs

The client receives a human-executed document

Phase 2AI autonomy: Preparation and routing

AI drafts and dispatches. The realtor signs first.

AI

AI writes the offer

Same drafting capability, same approved forms

AI

AI uploads and routes

The platform receives the exact version for signature

Human gate

Realtor signs first

The licensee binds themselves to the AI output before the client sees it

Human

Client signs

The client only ever receives a realtor-executed document

As autonomy grows from Phase 1 to Phase 2, the human checkpoint does not disappear. It moves earlier and gets stronger: from manual execution to a signature that legally binds the licensee to the AI-prepared instrument before the client ever sees it.

The pattern generalizes across every tier in this framework. As autonomy increases, the human checkpoint does not disappear; it moves earlier and its consequences get heavier. The AI may earn more of a workflow only where the accountable human’s commitment is captured by a mechanism that cannot be skipped: a signature order, a document hash, a step-up approval. Section 14 shows the hash-bound version of the same idea, where approval binds to the exact document version and any later mutation invalidates it.

Phase two does not remove the human. It moves the signature earlier, so the licensee is bound to the AI’s work before the client ever sees it.

Success metrics should be operational: policy violations prevented, field-minimization rate, attribution correctness, tool-call failure rate, human-review completion, revocation time, incident detection time, unauthorized extraction resistance, and member time saved—not raw prompt volume.

13Board-ready language

Model policy clauses for counsel and rulemaking teams

The following clauses are starting points for jurisdiction-specific drafting. They are deliberately technology-neutral and preserve existing duties.

General authorization

A participant may use an approved agentic AI system to search, summarize, analyze, render, prepare, or initiate actions involving authorized data, provided the participant remains responsible and all existing data-use, display, privacy, professional-conduct, attribution, security, and supervision requirements continue to apply.

System of record

The agentic system must not serve as the authoritative repository for listing, client, or transaction data. Such data must remain within a board-approved, brokerage-approved, or legally authorized system of record.

Training and retention

Protected data may not be used to train, fine-tune, improve, evaluate, or provide feedback to a model unless expressly authorized by every party with the legal right to authorize that use. Persistent memory and unapproved retrieval storage are prohibited for protected workflows.

Listing boundary

Raw feeds, feed credentials, and bulk listing datasets may not be provided to a model or agentic harness. Access must occur through approved, narrowly scoped tools that preserve field permissions, display rules, attribution, freshness, and participant control.

IDX website execution boundary

An approved coding agent may prepare or modify participant-controlled IDX website code, templates, components, schemas, tests, and parameterized query definitions. Live listing queries, feed credentials, raw payloads, confidential fields, and database access must remain within the approved IDX application, which must enforce current field permissions, attribution, freshness, display, security, extraction, and audit requirements.

Client boundary

Client and consumer data must remain in an approved CRM or business system. Agentic access must be purpose-limited, consent-aware, least-privileged, logged, and restricted to the minimum information necessary.

Transaction boundary

Authoritative transaction instruments must be generated, versioned, stored, and executed within an approved platform. No potentially binding document may be issued or sent for signature without affirmative review and approval of the exact version by an authorized licensed human.

Audit and revocation

The board or MLS may require audit records reasonably necessary to investigate suspected misuse and may suspend or revoke a tool, integration, vendor, or participant capability where data security, consumer protection, or rule compliance is at risk.

Human accountability. Use of an agentic system does not transfer or reduce the legal, ethical, contractual, fiduciary, supervisory, or professional responsibility of the participant, brokerage, board, or vendor.
14Implementation artifacts

A concrete, testable Agentic Access Profile

Natural-language policies are necessary but insufficient. Each approved capability should have a machine-readable profile that certification tests can exercise.

Capability manifestillustrative
profile: rails/1.0
capability: cma.prepare
risk_tier: 2
eligible_roles: [licensed_realtor]
required_scopes: [cma:prepare]
purpose_codes: [seller_evaluation, buyer_analysis, brokerage_review]
input:
  schema: cma-request/2.1
  max_records: 50
output:
  model_visibility: metadata_only
  returns: [cma_ref, secure_view_url, expiry, provenance]
human_review: required_before_share
retention_class: audit_metadata_only
revocation: immediate

For transactions, approval must bind to an immutable artifact. A later mutation must invalidate the approval and force a new review.

Exact-version approvalillustrative
function dispatchApproved(documentBytes, approval) {
  assert(approval.expiresAt > now())
  assert(sha256(documentBytes) === approval.documentSha256)
  assert(currentActor.id === approval.reviewerId)
  assert(policyAllows("transaction.dispatch", approval.purpose))

  // The approved platform holds the signing credential.
  return transactionPlatform.dispatch(documentBytes, approval.id)
}

Production implementations should use asymmetric signatures or a managed key service, short-lived tokens, replay protection, step-up authentication, and explicit audience and tenant binding. Samples in this paper illustrate control shape; they are not production security code.

Conformance tests

Schema bounds, permission denial, field leakage, bulk extraction, failure state, and audit completeness.

Policy tests

Purpose, jurisdiction, consent, risk tier, approval, revocation, and protected-feature transformations.

Security tests

Direct and indirect injection, privilege escalation, connector compromise, exfiltration, and trace redaction.

Governance tests

Vendor-change notices, model changes, subprocessors, deletion evidence, incident drills, and kill-switch timing.

Conclusion

Organized real estate can govern the interface shift without surrendering the record

Consumers will choose convenient interfaces. Professionals will choose tools that save time. Portals and model providers will continue competing for the point at which intent becomes workflow. The durable response is not to pretend that shift can be stopped. It is to define the trust infrastructure through which it operates.

The useful boundary is custody versus capability; persistent storage versus controlled transient processing; autonomous action versus accountable approval; probabilistic explanation versus deterministic calculation; and ungoverned distribution versus auditable access.

Better interfaces should operate through board-defined trust—not around it.

Boards that define identity, permission, provenance, quality, interoperability, auditability, certification, and revocation can protect data while improving member capability. Boards that focus only on yesterday’s interface may preserve the feed while losing influence over tomorrow’s consumer journey.

Questions

Frequently asked questions about RAILS

What is the RAILS Framework?

RAILS, the Realtor Agentic Interoperability Layer Standard, is a proposed governance and technical architecture for agentic AI in real estate. It lets AI systems do useful member work through narrow, permissioned capabilities while custody of listing, client, and transaction data stays in board-approved systems of record.

What does capability without custody mean?

An AI system can be granted a bounded capability, such as running a permissioned listing search or preparing a CMA, without ever holding the underlying dataset, feed credentials, or authoritative record. Capability crosses the trust boundary. Custody does not.

Can an AI agent sign or send an offer under RAILS?

No. Binding and external actions sit in the highest capability tier, which requires step-up authentication and human approval bound to the exact document version. A licensed human signs before a client ever sees an AI-prepared instrument, and a later mutation of the document invalidates the approval.

How does a realtor keep a human in the loop without losing the speed benefits?

By moving the checkpoint instead of removing it. In an early phase the AI drafts the offer and the realtor uploads and signs it manually. In a later phase the AI drafts and routes the document, but the realtor signs first, legally binding themselves to the AI output before the client sees it. Autonomy grows only where a stronger accountability mechanism replaces the manual one.

Is client or MLS data used to train the models?

RAILS prohibits using protected data to train, fine-tune, improve, or evaluate a model unless every party with the legal right to authorize that use has done so. The framework also treats retention as its own control surface, separate from training claims, across nine distinct places data can persist.

Who is RAILS for?

Boards, MLSs, brokerages, professional associations, regulators, and technology vendors that need a shared vocabulary of protected data domains, capability tiers, approval boundaries, certification evidence, and audit requirements for agentic AI.

Evidence

Selected primary sources and standards

Product claims are factual only to the extent supported by the linked publisher. The RAILS architecture, tiers, policy language, and roadmap are proposals by the authors. Legal requirements vary and must be re-verified before adoption.

  1. 01
  2. 02
  3. 03
  4. 04
  5. 05
  6. 06
  7. 07
  8. 08
  9. 09
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
Version 1.2Prepared for policy, legal, security, and technical reviewLast verified July 16, 2026
Share Post LinkedIn Email